CVE-2012-3515 – qemu: VT100 emulation vulnerability
https://notcve.org/view.php?id=CVE-2012-3515
Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." Qemu, tal como se utiliza en Xen v4.0, v4.1 y posiblemente otros productos, al emular ciertos dispositivos con una consola virtual, permite a los usuarios locales del SO invitado obtener privilegios a través de una secuencia VT100 de escape manipulada que desencadena la sobrescritura del espacio de direcciones de un "device model's address space." • http://git.qemu.org/?p=qemu-stable-0.15.git%3Ba=log http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00016.ht • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2012-2652
https://notcve.org/view.php?id=CVE-2012-2652
The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file. La función bdrv_open en Qemu v1.0 no gestiona de forma adecuada el fallo en la función mkstemp en un nodo snapshot, lo que permite a usuario locales sobrescribir o leer ficheros a través de un ataque de enlace simbólico sobre un fichero temporal no especificado. • http://git.kernel.org/?p=virt/kvm/qemu-kvm.git%3Ba=commit%3Bh=eba25057b9a5e19d10ace2bc7716667a31297169 http://git.qemu.org/?p=qemu-stable-0.15.git%3Ba=log http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00024.html http://secunia.com/advisories/50132 http://secunia.com/advisories/50689 http://www.debian.org/security/2012/dsa-2545 http://www.securityfocus.com/bid/53725 http://www.ubuntu.com/usn/USN-1522-1 •
CVE-2011-4111 – qemu: ccid: buffer overflow in handling of VSC_ATR message
https://notcve.org/view.php?id=CVE-2011-4111
Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message. Desbordamiento de buffer en la función ccid_card_vscard_handle_message en hw/ccid-card-passthru.c en QEMU anterior a 0.15.2 y 1.x anterior a 1.0-rc4 permite a atacantes remotos causar una denegación de servicio (caída) y posiblemente ejecutar código arbitrario a través de un mensaje VSC_ATR manipulado. • http://git.qemu.org/?p=qemu-stable-0.15.git%3Ba=log http://git.qemu.org/?p=qemu.git%3Ba=log%3Bh=refs/heads/stable-1.0 http://rhn.redhat.com/errata/RHSA-2011-1777.html http://rhn.redhat.com/errata/RHSA-2011-1801.html https://bugzilla.redhat.com/show_bug.cgi?id=751310 https://access.redhat.com/security/cve/CVE-2011-4111 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2011-1751 – qemu: acpi_piix4: missing hotplug check during device removal
https://notcve.org/view.php?id=CVE-2011-1751
The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers." La función pciej_write en hw/acpi_piix4.c en la emulación de PIIX4 Power Management en qemu-kvm no comprueba si un dispositivo es conectable en caliente antes de desconectar el puente PCI-ISA, lo que permite causar una denegación de servicio y posiblemente ejecutar código de su elección a los usuarios privilegiados invitados mediante el envío de un valor específico al puerto I/O 0xae08 (PCI_EJ_BASE), lo que provoca a un uso después de liberación relacionado con "temporizadores qemu activos". • http://blog.nelhage.com/2011/08/breaking-out-of-kvm http://git.kernel.org/?p=virt/kvm/qemu-kvm.git%3Ba=commit%3Bh=505597e4476a6bc219d0ec1362b760d71cb4fdca http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html http://lists.opensuse.org/opensuse-updates/2011-05/msg00043.html http://rhn.redhat.com/errata/RHSA-2011-0534.html http://secunia.com/advisories/44393 http://secunia.com/advisories/44458 http://secunia.com/advisories/44648 http://secunia.com/advisories/44658 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •